From 95e2025ff9ac07644175689b873749fc2087eef2 Mon Sep 17 00:00:00 2001
From: mayjs <johannes.may@udo.edu>
Date: Mon, 15 May 2017 19:43:53 +0200
Subject: Changed GET /api/boards/:id to allow access by the normally also
 allowed users.

---
 models/boards.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'models/boards.js')

diff --git a/models/boards.js b/models/boards.js
index f2ac794e..3778963f 100644
--- a/models/boards.js
+++ b/models/boards.js
@@ -557,7 +557,6 @@ if (Meteor.isServer) {
 //BOARDS REST API
 if (Meteor.isServer) {
   JsonRoutes.add('GET', '/api/user/boards', function (req, res, next) {
-    // TODO: This should be changed to be less restrictive!
     Authentication.checkLoggedIn(req.userId);
 
     const data = Boards.find({
@@ -589,8 +588,12 @@ if (Meteor.isServer) {
   });
 
   JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) {
-    Authentication.checkUserId( req.userId);
+    Authentication.checkLoggedIn( req.userId);
     const id = req.params.id;
+    const board = Boards.findOne({ _id: id });
+    const normalAccess = board.permission === 'public' || board.members.some(e => e._id === req.userId);
+    Authentication.checkAdminOrCondition(req.userId, normalAccess);
+
     JsonRoutes.sendResult(res, {
       code: 200,
       data: Boards.findOne({ _id: id }),
-- 
cgit v1.2.3-1-g7c22